1. technology and computing
2. hardware
3. computer networking
4. router

Comparative Analysis:
Cisco Catalyst 4500E
HP 5400R zl2
DR150313D
June 2015
Miercom
www.miercom.com
Contents
1 - Executive Summary ............................................................................................................................. 3
2 - About the Products Tested ............................................................................................................... 4
Cisco ............................................................................................................................................................................ 4
HP................................................................................................................................................................................. 6
Comparing 10-Gigabit Ethernet (10GE) Line Cards ....................................................................................... 8
3 - Test Bed Setup ...................................................................................................................................10
4 - Throughput with No Packet Loss ...................................................................................................11
5 - Buffer-Depth Capacity Test .............................................................................................................13
6 - Security – ACL Support ....................................................................................................................16
7 - High Availability – In-Service Software Upgrade (ISSU) .............................................................20
8 - Max Forwarding Information Base Table (FIB) Capacity ............................................................23
9 - Wireshark – Integral Switch-based Diagnostics...........................................................................25
10 - About Miercom ...............................................................................................................................30
11 - Use of This Report...........................................................................................................................30
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
2
DR150313E
4 June 2015
1 - Executive Summary
Miercom was engaged to perform comparative testing of two high-capacity, modular enterprise
access switches: the popular Cisco Catalyst 4500E, and a comparably configured, competitive switch,
the HP 5400R zl2, from Hewlett-Packard Company.
Miercom conducted hands-on testing and assessed the performance of select features that are
critical for the reliable operation of enterprise networks. The switches were tested side-by-side in a
well-equipped West Coast test lab.
Key Findings:
Cisco accommodates much
larger data bursts with no loss
Testing found the Cisco Catalyst 4500E accommodates up to nine
times larger data bursts, delivered to otherwise loaded output ports,
without loss, than the HP 5400R zl2.
Significantly greater Access
Control List (ACL) capacity
The Cisco switch supports much greater ACL capacity than the HP
switch, as well as ACL sharing across ports for both IPv4 and IPv6 ACLs,
improving security efficiency.
Software-upgrade Downtime
Testing found that during active software upgrades, downtime and lost
data is 35 times greater with the HP 5400R zl2 than the Cisco 4500E.
Simplified Diagnostics via
embedded Wireshark
With an integral Wireshark data-capture, decode and analysis tool, the
Cisco Catalyst 4500E enables straightforward local data-flow
diagnostics.
Significantly greater Routing
Table Capacity
Testing found the Cisco Catalyst 4500E supports more than 25 times as
many IPv4 and IPv6 routes than the HP 5400R zl2, supporting larger
deployments and future-proofed growth.
Higher 10GE port density
The Cisco Catalyst 4500E offers much higher 10GE port density
compared to the HP 5400R zl2.
Comparable 10GE-Line-Card
Cross-Fabric Throughput
The maximum bidirectional throughput between eight 10GE ports on
one line card and eight 10GE ports on another card were comparable,
achieving about 96 Gbps of throughput.
Miercom has independently verified key performance aspects and feature differences between
the Cisco Catalyst 4500E and the HP 5400R zl2. With better handling of data bursts, superior
security via ACL capacity, quicker software upgrade and greater IP-route capacity, we present
the Miercom Performance Verified certification to the Cisco Catalyst
4500E as a result of this comparative switch testing.
Robert Smithers
CEO
Miercom
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
3
DR150313E
4 June 2015
2 - About the Products Tested
The switches that were tested are both high-capacity modular enterprise network switches,
which can serve in access, aggregation or core layers depending on modules and
configuration.
Cisco
The Cisco switch tested was the Cisco Catalyst 4510R+E, pictured below. The 10-slot
switch is the high-end model of the vendor's popular Catalyst 4500E series. Two slots in
the center (slots 5 and 6) are designed and reserved for two fully redundant Supervisor
8-E modules. The latest Supervisor Engine 8-E was employed in the testing. The Cisco
switch in our testing ran software version IOS-XE 03.07.00E.
Cisco Catalyst 4510R+E,
shown here with two
redundant Supervisor 8-E
modules in the middle.
The 24-inch-high (14 RU) Catalyst 4510E chassis has eight line card slots, and the vendor
offers an extensive range of line cards, varying in speed, number and type of ports and
media (copper/RJ-45, including with or without PoE, or fiber SFP and SFP+).
The Cisco Catalyst 4500E switch with Supervisor Engine 8-E supports configurations with
up to 384 Gigabit Ethernet (1GE) access ports, or up to 104 x 10-Gigabit Ethernet (10GE)
fiber ports (eight uplink ports plus 96 line card ports). In a single chassis with dual
supervisors, 4 uplinks are active on each supervisor thereby providing uplink redundancy
when these ports are deployed as 10GE uplinks in access deployment.
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
4
DR150313E
4 June 2015
The Cisco Catalyst 4510R+E chassis tested (see below) was configured with the following
modules:
Slot
Number
Ports
Description
Model/Part number
1
12
10 Gigabit Ethernet SFP+ line card
WS-X4712-SFP+E
5
8
Supervisor 8-E, 10GE (SFP+), 1000BaseX
(SFP)
WS-X45-SUP8-E
6
8
Redundant Supervisor 8-E, 10GE (SFP+),
1000BaseX (SFP)
WS-X45-SUP8-E
9
12
10 Gigabit Ethernet SFP+ line card
WS-X4712-SFP+E
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
5
DR150313E
4 June 2015
HP
The HP switch tested was the HP 5400R zl2, a 12-slot switching system – plus two
dedicated slots at the top for one or two (redundant) management modules. Software
version KB.15.16.0005 was run for all our tests.
The switching system can serve access, aggregation or core roles, depending on
modules and configuration. Also, as with the Cisco 4500E, more than a dozen different
line-card modules are offered, which vary in port speed and connection type (RJ-45
copper, including PoE, and fiber SFP and SFP+).
The HP 5400R zl2 switch
features two vertical side-byside chassis rows, offering 12
slots for line cards, plus two
dedicated slots on top for one
or two management modules.
The switch is shown here with
four 24-port GE line-card
modules.
The 12-inch-high (7 RU) HP 5412R zl2 chassis can deliver up to 288 Gigabit Ethernet
ports, or up to 96 x 10GE ports (RJ-45 copper or fiber SFP+).
In terms of form-factor for enterprise deployment, Cisco has a practical advantage with
the Catalyst 4500E being only 12.5” (31.8 cm) deep for easy deployment in tight spaces.
It also has easy access to power supplies through the front for easy serviceability. In
contrast, the HP 5400R zl2 has 42% more depth at 17.75” (45.1 cm). On top of that, HP
5400R zl2 would require at least 12” to 18” (30 cm to 45 cm) in the rear to pull out
power supplies for servicing.
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
6
DR150313E
4 June 2015
The HP 5400R zl2 switch tested (see below) was configured with the following modules:
Slot(s)
Number
Ports
Top 2
Description
Model/Part number
--
2 x (redundant) HP 5400R zl2
Management Modules
J9827A
A (top left)
8
HP 8-port 10GbE SFP+ v2 zl Module
J9538A
K (bottom
left)
24
HP 24-port Gig-T PoE+ v2 zl Module
J9534A
L (bottom
right)
8
HP 8-port 10GbE SFP+ v2 zl Module
J9538A
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
7
DR150313E
4 June 2015
Comparing 10-Gigabit Ethernet (10GE) Line Cards
The 10GE line cards used for this testing were the latest, highest-port-density versions of
10GE line cards offered by these vendors for these switches at the time of testing. The
10GE line cards of Cisco and HP are architected differently, however. While it is possible
in either case for any port on either vendors' 10GB line card to send and receive data at
the full line rate of 10 Gbps, it is not possible – in either case – for all ports on the card to
send and receive at the full line rate of 10 Gbps at the same time.
It is useful in understanding the 10GE-port throughput test results that follow to
understand how these line cards are architected differently. In Cisco's case, the 12 ports
on the 10GE SFP+ line card (part WS-X4712-SFP+E) are aggregated into four groups of
three ports each, as shown in the diagram below.
Cisco 4500E w/ 12-port 10GE Line Cards
1
2
3
4
5
6
7
8
9
10
11 12 .
1
port groups
2
3
Group 1 contains ports
1, 2 and 3
4
Group 2 contains ports
4, 5 and 6
5
Group 3 contains ports
7, 8 and 9
6
Group 4 contains ports
10, 11 and 12
7
8
9
1
2
3
4
5
6
7
8
9
10
11 12 .
The operational and performance characteristics of the ports are as follows:



Each port is rated at 10GE and can, by itself, achieve full rate throughput of 10
Gbps (20 Gbps bi-directionally) max
Each group of 3 ports on the line card collectively shares 12 Gbps throughput (24
Gbps bi-directionally)
The line card, with all 4 port groups (all 12 ports) collectively supports a total of
48 Gbps throughput (96 Gbps bi-directionally).
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
8
DR150313E
4 June 2015
The 10GE ports on the HP eight-port line card (part J9538A) have similar architectural
limitations. As shown in the diagram below, the eight ports are aggregated onto two
"channels."
HP 5400R zl2 w/ 8-port 10GE Line Cards
1 2
3 4
5
6
7 8
A
B
C
D
E
F
G
H
I
Channel 1 contains
ports 1, 4, 6 and 8
Channel 2 contains
ports 2, 3, 5 and 7
J
1 2
3 4
5
6
K
7 8
L
channel 1
channel 2
The operational and performance characteristics of the ports are as follows:




Each port is rated at 10GE and can, by itself, achieve full rate throughput of 10
Gbps (20 Gbps bi-directionally) max
4 ports of the 8 port 10G line card use channel 1 and the other 4 ports use
channel 2 to connect to the switch fabric.
Each channel on the line card collectively supports 23.4 Gbps throughput (46.8
Gbps bidirectionally)
The line card with both channels (all eight ports) collectively supports a total of
46.8 Gbps throughput (93.66 Gbps bidirectionally)
Users will want to keep these architectural differences in mind for deployment – such as
using just one or two ports per group, or two or three ports per channel, for heavily
loaded backbone links. Also, users should note these limitations when viewing the
throughput results of this testing. In the main test case, we sought to determine the
maximum throughput that could be achieved from the 10GE ports on one line card,
across the backplane, to the 10GE ports on another line card.
Since the HP switch supports eight 10GE ports per line card, the throughput test was
devised to deliver bidirectional data between the eight ports on two different line cards,
one at the top and the other near the bottom. For purposes of a fair comparison, the
Cisco switch was likewise tested, in the same manner, between eight ports on two of its
12-port line cards.
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
9
DR150313E
4 June 2015
3 - Test Bed Setup
All tests of the Cisco and HP switches employed the same Ixia test system: IxNetwork
software controlling test modules in a 12-slot Ixia XM12 chassis. Each switch was tested
as a standalone unit directly connected to the Ixia XM12 Test System.
The Ixia XM12 chassis was used with the IxNetwork application as the primary traffic
generator that drove network traffic through the switches. IxNetwork offers a vast library
of test methodologies. Ixia (www.ixiacom.com) is an industry leader in the performance
testing of networking equipment. Ixia’s exclusive approach and comprehensive set of
online open-source test methodologies makes Ixia a clear choice for testing Layer 2-toLayer 7-based networking products.
Switch under Test
Ixia Test System
Cisco Catalyst 4500E
XM12 multi-slot chassis with
IxNetwork software
Bi-directional
traffic
Ixia XM12
Switch under Test
HP 5400R zl2
Bi-directional
traffic
Source: Miercom, March 2015
The tests in this report are intended to be reproducible for customers who wish to
recreate them with the appropriate test and measurement equipment. Contact Miercom
Professional Services via [email protected] for assistance. Miercom recommends
customers conduct their own needs analysis study and test specifically for the expected
environment for product deployment before making a product selection. Miercom
engineers are available to assist customers for their own custom analysis and specific
product deployments on a consulting basis.
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
10
DR150313E
4 June 2015
4 - Throughput with No Packet Loss
“Cisco Catalyst 4500E offers significantly higher port density with a similar throughput
performance to the HP 5400R zl2 with v2 modules.”
Objective
To determine the maximum throughput that can be obtained, with no loss, between 16
ports, on two 10GE line cards, across the switch fabric.
How We Did It
In this test we sought to determine the maximum throughput that could be achieved
from the 10GE ports on one line card, across the switching fabric, to the 10GE ports on
another line card. The Ixia test system was connected to 16 ports on each switch, and
delivered bidirectional traffic at various packet sizes. The traffic switching performance
was measured using the RFC 2544 test available in IXIA that searches for the maximum
throughput with no packet loss.
Since the HP switch supports just eight 10GE ports per line card, the throughput test was
set-up to deliver bidirectional data between the 16 ports on two different line cards, with
eight ports on a line card at the top and the other line card near the bottom of the
chassis.
The Cisco switch was likewise tested in the same manner: Bidirectional traffic was
generated between 16 ports on two of its 10GE line cards, in the same switching system,
across the switching fabric, and adjusted until the max throughput rate with no loss was
determined.
Cisco 4500E vs HP 5400R zl2: Aggregate, 16-port,
Bidirectional L2 Throughput with 0 Frame Loss
Cisco 4500E
83 84
73
89 90
HP 5400R zl2
94 94
92 93
95 94
95 94
61
Gbps
100
90
80
70
60
50
40
30
20
10
0
Frame Size
Cisco 4500E
HP 5400R zl2
64
128
256
512
1024
1280
1518
73
83
89
92
94
95
95
61
84
90
93
94
94
94
Source: Miercom, March 2015
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
11
DR150313E
4 June 2015
Results Summary
Cisco and HP exhibited comparable performance. As the graph shows, total bidirectional
throughput between 16 ports was between about 83 and 95 Gbps, depending on packet size.
This does not represent wire speed on all ports, due to the architectural constraints discussed
earlier. Generally speaking, the test results showed that the realistic aggregate bidirectional
throughput between two 10GE line cards – eight ports on each card – equates to roughly 60
percent of the combined, all ports' line rate. However, all things being equal, the throughputs
between the Cisco and HP switches are comparable in this respect.
Using the previous architectural constraints and the performance results from these tests and the
port density numbers based on the data sheets, several conclusions can be extrapolated:

With 12 line-card slots (using v2 modules), the HP switch supports the equivalent of 48 x
10GE ports at line rate (4 GE ports at wire rate per 8-port 10GE line card, times 12 line
cards).

The Cisco Catalyst 4500E also uniquely supports the merger with another 4500E switch into
a single Virtual Switching System, or VSS. The two switches are managed and behave as
one. Up to eight 10GE links connect the two switches for traffic routing and switching. In a
fully expanded VSS mode, then, the Catalyst 4500E supports 80 x 10GE ports at line rate (64
line-card ports plus sixteen 10GE Sup8-E uplink ports), less the number of 10GE ports used
to link the two switching systems.

In terms of total number of 10G ports, Cisco can support up to 208 10G ports in a single
VSS system (192 line card ports + 16 Sup8-E uplink ports) while HP can do only 96 10G
ports (12 line-card slots with 8 10G ports in each line card).
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
12
DR150313E
4 June 2015
5 - Buffer-Depth Capacity Test
“Cisco Catalyst 4500E offers up to nine times the burst capacity of the HP 5400R zl2 with
v2 modules.”
Objective
When an outbound switch port is overloaded – that is, there is more data to be sent out than the
port has bandwidth to send – the result is buffered and/or dropped packets. Such momentary
events are termed data "bursts." All switches and routers have buffers to accommodate such
bursts – up to a point.
The goal of this testing was to compare how well the Cisco and HP switches accommodate data
bursts.
How We Did It
The test plan was to determine the "maximum burst size" that the switch could accommodate on
an output port. The switch under test was configured with three active ports. The set-up for the
Cisco switch test is shown in the diagram below.
Ixia ports
slot 4
Ixia ports
slot 5
Cisco 4500E Burst Traffic Port Configuration
1/1
4/1
Base Traffic
Line Rate
5/1
9/1
Egress Traffic
4/2
1/2
Burst Traffic #’s
of packets
Line Card 1
Line Card 9
Source: Miercom, March 2015
The Ixia test system delivered a 10-Gbps, Layer-2 traffic flow in one direction to Port 1
on the 10GE line card in slot 1 of the Cisco 4500E switch. This line-rate "Base Traffic
Flow" was forwarded to output on Port 1 on the 10GE line card in slot 9, and delivered
back out to the Ixia traffic generator. This traffic flow, which changed for each test
packet size, would fully load the outbound channel of Port 9/1. The Ixia would confirm
that there was no packet loss.
Then, in addition to this stream, a single burst of a specified number of packets (at the
current test packet size), is sent in on a different port (Port 1/2). The line-rate, steadyCisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
13
DR150313E
4 June 2015
state stream and the burst are forwarded to the same output port. All the output from
this port is sent back out to the Ixia test system, which meticulously compares the sent
traffic with the packets returned, looking for any dropped packets.
The size of the burst (the number of burst packets) sent is compared with the burst
packets received and, if there is no loss, the burst size would be increased – until loss
started to occur. Three test runs with 0 loss confirm that the "maximum burst size
without packet loss" has been found (for that particular packet size). The number of
packets for each such burst without loss, for each packet size, are then graphed and
compared by packet size. The max burst size without loss equates directly to the output
buffer depth of the line card.
Ixia ports
slot 4
Ixia ports
slot 5
HP 5400R zl2 Burst Traffic Port Configuration
A1
4/1
Base Traffic
Line Rate
5/1
L1
Egress Traffic
4/2
A2
Base Traffic #’s
of packets
Line Card A
Line Card L
Source: Miercom, March 2015
The same set of tests was then applied in the same manner to the HP 5400R zl2 switch
(see above diagram). One port (Port 1 on the 10G line card in slot A) carried the Base
Traffic Flow at line rate to the output port (Port 1 on the 10G line card in slot L), while
and a second port on the line card A carries the burst flow of a specific number of
packets.
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
14
DR150313E
4 June 2015
Results Summary
L2 Max Burst Size without Dropping Packets
Number of Burst Packets (by packet size)
12000
Cisco
Number of Packets
10000
HP
8000
6000
4000
2000
0
Packet Size
Cisco
HP
66
128
256
512
1024
1280
1518
10800
10540
9850
9500
9370
9350
9300
3031
3030
3031
3031
1515
1009
1009
Source: Miercom, March 2015
The graph highlights the differences in buffer management and buffer depth between
the Cisco 4500E and the HP 5400R zl2 switches. The larger Cisco internal output buffers
on the ports provide additional space to handle much larger traffic bursts without losing
data. The differences are dramatic: At small packet sizes the Cisco 4500E accommodates
over three times larger bursts with no packet loss than the HP 5400R zl2. At large packet
sizes the Cisco 4500E accommodates over nine times larger bursts with no packet loss
than the HP 5400R zl2.
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
15
DR150313E
4 June 2015
6 - Security – ACL Support
“The Cisco Catalyst 4500E has 128K ACL table entries compared to 8K entries per line
card on the HP 5400R zl2 while using less than half of the number of table entries per
ACL when compared with the 5400R zl2. This makes the Catalyst 4500E a highly scalable
platform for secure deployments.”
A key security feature in today's networks is Access Control Lists, or ACLs. These are
filters applied to switches, usually on a per-port basis, which allow or prohibit inbound
and outbound packets. Filtering can be applied, for example, to the IP field, source or
destination IP address, TCP/UDP port number, per-VLAN or per-port.
Besides security, ACLs help accomplish traffic-flow controls for Quality-of-Service (QoS)
handling, as well as Role-Based Access Control, where users are restricted or authorized
access based on their locations or roles.
Objective
ACLs are composed of ACE’s (Access Control Entries), which are programmed as TCAM
(Temporary Content-Addressable Memory) entries in the switch hardware for fast access
while routing packets.
For example the following ACL “acl101” contains 5 ACE entries:
Switch#sh access-list acl101
Extended IP access list acl101
10 permit tcp any any eq 1
20 permit tcp any any eq 2
30 permit tcp any any eq 3
40 permit tcp any any eq 4
50 permit tcp any any eq 5
The ACLs are limited by the number of ACE entries that can be created through the
Command Line Interface (CLI), the number of TCAM hardware entries on each line card,
and the total number of TCAM entries allowed in the system.
NOTE: When an ACE is programmed into a TCAM, it may take up 1 or more TCAM
entries depending on the implementation. For example, when you bind the above ACL
with 5 ACE entries to a port on Cisco switch, it results in programming of 7 TCAM entries.
On the other hand, when you bind the same ACL with 5 ACE entries to a port on HP
switch, it results in programming of 22 TCAM entries. This shows that ACL programming
on Cisco switch is much more efficient and scalable as compared to that on HP switch.
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
16
DR150313E
4 June 2015
In this testing we examine several aspects of the Cisco 4500E and HP 5400R zl2 switches:


The maximum number of ACL HW entries that each switching system supports
The ability to share common ACLs, for better efficiency and capacity utilization.
How We Did It – Cisco 4500E
To verify the maximum number of Cisco ACEs, we created multiple IPv4 Inbound ACLs,
each containing 10,000 ACEs (matching on TCP port) that result in programming of
10,177 TCAM entries. We applied one such ACL to each 10G port on a single line card.
We adjusted the last ACL’s entries to just max out the ACL TCAM entries for Inbound
IPv4 ACEs. In total we were able to apply 58358 ACE entries, with each ACE entry
defined to match on TCP port.
For this test we counted only ACEs that are stored in the TCAM memory. On Catalyst
switch, ACEs can also be stored in software buffers, but access to them is much slower,
so we ignored those for this test.
Results Summary
We maxed out the Cisco switch with 59,392 TCAM entries allocated on the IPv4 Inbound
Security Group.
We obtained the following Cisco Content Addressable Memory (CAM) utilization
statistics:
#sh platform hardware acl stat utilization br
sh platform hardware acl stat utilization br
CAM Utilization Statistics
Input
Input
Input
Input
Security
Security
Forwarding
Forwarding
Output RoleBased
Output Security
Output Security
Output Qos
Output Qos
Output Unallocated
(160)
(320)
(160)
(320)
(160)
(160)
(320)
(160)
(320)
(160)
Used
59392 (100%)
34 (1 %)
7 (0 %)
24 (1 %)
0
6
12
10
2
0
(0 %)
(0 %)
(0 %)
(0 %)
(0 %)
(0 %)
Free
0 (0 %)
2014 (99 %)
2041 (100%)
2024 (99 %)
Total
59392
2048
2048
2048
2048 (100%)
2042 (100%)
2036 (100%)
2038 (100%)
2046 (100%)
55296 (100%)
2048
2048
2048
2048
2048
55296
The output above shows that all the 59,392 IPv4 ACL TCAM entries for inbound security
have been programmed, with an additional 6,079 TCAM entries still available for
inbound IPv6 security and IPv4 forwarding for a total of 65536 (64K) ACL entries.
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
17
DR150313E
4 June 2015
In addition there remains available space for another 65536 (64K) ACL entries for
outbound filters.
The net result: There is room for 128K Inbound and Outbound ACL HW entries in the
Cisco 4500E across all line cards in the Chassis.
How we did it - HP 5400R zl2 switch.
We applied similar IPv4 ACE entries (matching on TCP port) to a 10G port in slot A of the
HP 5400R zl2 switch. On HP switch, each ACE entry matching on TCP port results in
programming of 4 ACL TCAM entries.
The maximum ACL TCAM entries available on a per line card basis of HP switch is 8,176
entries.
We maxed out this ACL TCAM space with just 2,044 ACE entries (2043 entries matching
on TCP port + 1 explicit deny all entry) as verified by the output of the command “sh
access-list resources”:
HP-5412Rzl2# sh access-list resources
Slots
A
K
L
Rules
Available
0
8176
8176
ACL
QoS
IDM
VT
Mirr
PBR
OF
Other
8176
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
We tried applying more ACEs to a different port of the same line card, we got the error:
“Unable to apply Access Control List. Failed to add entry 10.”
Thus maximum number of ACL TCAM entries is limited to 8,176, for a line card on HP
switch, with a port limited to only the TCAM entries that are available on the
corresponding line card.
For the 12 line card slot chassis, that would limit the ACLs across all the line cards to
(8176 per card X 12 cards) = 98,112 HW ACL entries.
ACL sharing
Another key difference between switches, our testing showed, is that Cisco allows
sharing of ACLs across all ports on line cards in the 4500E switching system, without
consuming additional ACE memory space.
To verify this we filled nine of the 12 ports on the line card in Slot 1 with ACLs and ACEs,
as in the previous ACL capacity test. We verified that no new ACLs could be bound to
any port in the system.
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
18
DR150313E
4 June 2015
We then attempted to share "ACL110," an ACL we had previously created and bound to
port 1/1, with the remaining ports on the line card in Slot 1, and to the ports on the line
card in Slot 9.
The Cisco 4500E accepted the shared ACL on the remaining ports on the line card in
Slot 1, and also on all the ports on the line card in Slot 9. The ACL "ACL110" was
successfully shared across all the remaining ports in the system when the system could
no longer accept the binding of new ACLs to any ports.
The HP 5400R zl2 does not allow sharing of ACLs to conserve TCAM space even if the
same ACL is used in which case the duplication consumes additional resources.
“In the case of Cisco Catalyst 4500E, applying the same ACL on multiple interfaces will
consume only one set of ACL TCAM entries shared across those interfaces. The HP
5400R zl2, on the other hand, will program the ACL entries multiple times, once for each
interface, thus consuming significantly more of its already limited ACL TCAM entries.
This ACL sharing capability allows the Catalyst 4500E to scale to much larger
campus deployments.”
The ACL capacities and capabilities verified by this testing, then, are as follows:
Cisco 4500E
HP 5400R zl2
Total ACL capacity
131,072 (128K)/system
8,176/card
98,112/system
Ability to share ACLs
among ports and cards
Yes
No
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
19
DR150313E
4 June 2015
7 - High Availability – In-Service Software Upgrade (ISSU)
“The Catalyst 4500E provides service continuity during software upgrades with the In
Service Software Upgrade capability which HP 5400R zl2 does not have.”
Objective
Both Cisco Catalyst 4500E and HP 5400R zl2 switches support redundant control
modules – "supervisor" modules in Cisco's case, "management" modules in HP's case.
Because of this it is possible to upgrade the switch's operating software while the switch
continues full operation. So-called In-Service Software Upgrade – ISSU in Cisco parlance
– is possible because the modules are redundant – one operates in an active role and
the other as a back-up.
New software is loaded onto the back-up module and then, under user control, the
module with the new software is switched to as the active and the active, with the old
software version, is relegated to the standby role.
However, this switchover does involve a brief interruption to the system, which is
unavoidable given the volumes of data that are in transit through the switch when the
new module and new software take over. In this test we sought to quantify the extent
and impact of this interruption.
How We Did It
Both Cisco and HP switches uses two flash memory locations to store the two software
versions.
Cisco 4500E vs HP 5400R zl2
Downtime for Software Upgrade
500
466.24
milliseconds
400
300
200
100
12.68
0
Cisco Cisco
4500E4500
withE8
Sup8E
5400Rzl2
zl2
HP 5400
Source: Miercom, March 2015
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
20
DR150313E
4 June 2015
Results Summary
After the new software version is loaded into the boot flash on the standby, the system is
rebooted from the standby, making it the active. Then the active module fails over to
become the standby, and it reboots after loading the new software into its flash.
During this fail-over some packets are lost.
This test measures the duration of, and the amount of packets lost during, that failover
period. The Ixia test system ran a single data stream of 256-byte IPv4 packets in one
direction through 10GE ports at one-half line rate (5 Gbps).
Cisco. The Cisco 4500E's software version was upgraded from IOS XE 03.06.01.E to
03.07.00.E. Cisco employs one command “issu changeversion” that manages the whole
software-version switchover.
HP. There are three steps involved in updating the HP 5400R zl2. Each action entails a
separate command, but the actual failover is just one command. And like the Cisco
system, this starts the interruption period where packet loss occurs.
Cisco Catalyst 4500E with Sup8-E
(IOS XE 03.06.01.E -> IOS XE 03.07.00.E)
HP 5400R zl2
(KB.15.15.0008 -> KB.15.16.0005)
1. Download new image
1. Download new image
2. Upgrade using single command:
ISSU change version bootflash:cat4500es8universalk9.SPA.03.07.00.E.152-3.E.bin
2. Make sure boot setting is configured to
boot to correct flash software was copied
to:
boot set-default flash primary
3. Boot standby module:
boot standby
4. Perform switchover:
redundancy switchover
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
21
DR150313E
4 June 2015
The Ixia system compared the sent and received packet stream and detailed every
packet lost during the transition. With the number of lost packets known, and the packet
size and packet-per-second rate known, calculating the downtime is a straightforward
calculation.
The table below summarizes the impact and duration of the two switches' downtime.
Measured effect of In-Service Software Upgrade (ISSU)
Cisco 4500E
HP 5400R zl2
Test traffic rate, packets per
second (pps)
2,264,492
2,264,492
Number of lost packets
28,711
1,055,793
Downtime for switchover,
milliseconds (ms)
12.68
466.24
The Cisco 4500E exhibits much less downtime to perform a software update than the HP
5400R zl2. With just 13 milliseconds downtime, data loss with the Cisco switch was
28,711 packets. With the HP switch, the downtime was more than 35 times longer,
resulting in the loss of over a million packets.
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
22
DR150313E
4 June 2015
8 - Max Forwarding Information Base Table (FIB) Capacity
“The 4500E provides higher scalability with a FIB table size that is 25 times greater than
the HP 5400R zl2, thereby ensuring capacity for current and future networks.”
To support the routing increases expected over the life of a major switching system, it is
critical that the system be able to accept a large enough number of routes – IPv4, as well
as IPv6 – to accommodate future growth and expansion.
Objective
To determine whether the actual FIB (forwarding information base) capacities supported
by the Cisco 4500E and HP 5400R zl2 switches, for both IPv4 and for IPv6 forwarding,
meet their published capacity claims.
How We Did It
To verify that each switching system could in fact handle their published number of
supported routes, we created 10,000 IPv4 routes on the HP 5400R zl2 and 256,000 IPv4
routes on the Cisco 4500E. We then ran traffic that exercised each of the routes, to
validate that each route had in fact been created and applied, and the switch could
forward data appropriately without any data loss.
In a separate test afterwards we created 5,000 IPv6 routes on the HP 5400R zl2 and
128,000 IPv6 routes on the Cisco 4500E. As with the IPv4 route testing, we ran traffic
that exercised each of the routes.
Results Summary
Cisco. On the Cisco system, IPv4 route status was checked with the command:
#sh ip route summary, which showed the following:
Route Source
Networks
Subnets
Replicates
Overhead
Memory (bytes)
application
0
0
0
0
0
connected
0
8
0
576
1440
static
1
0
0
72
180
ospf 1
0
256000
0
18432000
47104000
IPv6 route status was checked on the Cisco system with the command: #sh ipv6 route
summary, which showed the following:
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
23
DR150313E
4 June 2015
Route Source
Networks
Overhead
Memory (bytes)
connected
2
224
264
local
3
336
396
application
0
0
0
128000
14336000
16896000
ospf 1
HP. IPv4 route status was checked on the HP 5400R zl2 with the command:
#sh ipv4 route summary, which showed the following:
Protocol
Active Routes
OSPF Routes
10000
And HP IPv6 route status was checked with the command: #sh ipv6 route summary:
Protocol
Active Routes
Connected
5
OSPF3_Internal
5000
Results Summary
The FIB table capacities specified in the datasheets of both the Cisco Catalyst 4500E and
the HP 5400R zl2 switches were validated.
Supported FIB (Routing Table) Capacity
Cisco 4500E w/Sup8E
HP 5400R zl2
IPv4 Routes
256,000
10,000
IPv6 Routes
128,000
5,000
Testing verified that the Cisco 4500E supports more than 25 times the route capacity of
the HP 5400R zl2.
.
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
24
DR150313E
4 June 2015
9 - Wireshark – Integral Switch-based Diagnostics
“Cisco Catalyst 4500E simplifies and reduces the cost of network troubleshooting with
the on-board Wireshark packet capture and analysis tool.“
Wireshark, a world-class data-capture, decode and diagnostic tool is built into the Cisco
4500E switch. This simplifies initial troubleshooting by allowing data monitoring to be set
up on a per port basis, up to eight ports on a switch. Captured data is retained right in
the Cisco 4500E’s boot flash, from which the user can, via the built-in Wireshark CLI, do
initial troubleshooting from the stored pcap (captured packet) file.
With the integral Wireshark, the requirement for port mirroring, which is the only way to
accomplish this with the HP 5400R zl2, is eliminated. Port mirroring, also called SPAN or
RSPAN, consumes additional ports, since another port has to be dedicated to receiving a
copy of the data sent and received on the ports that are mirrored. It also requires that
the port be already connected to the server that will receive the copy of the traffic.
(Note: Catalyst 4500E also supports SPAN/RSPAN).
In our testing, we set up the Cisco 4500E to monitor traffic running between a Windows
and a Linux laptop through the Cisco 4500E, and store a copy of the data flow in a bootflash pcap file (mycap1.pcap). The diagram shows the configuration with the Cisco 4500E.
Windows
Laptop
Cisco 4500E
With Built-in
Wireshark
Linux Laptop
Remote Troubleshooting
Server with Wireshark
Source: Miercom, March 2015
Without an integral Wireshark, the mirrored-port approach typically requires another
local server to collect and store the copied pcap data – what the Cisco 4500E with the
integral Wireshark does locally in boot flash.
The file created by the Wireshark utility is a standard file in .pcap format and can be
optionally exported and viewed using the standard Wireshark application on a PC.
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
25
DR150313E
4 June 2015
The following configuration shows how the same functionality is achieved with the HP
5400R zl2.
Windows
Laptop
Linux Laptop
HP 5400R zl2
Local Server on
Mirrored Port
Remote Troubleshooting
Server with Wireshark
Source: Miercom, March 2015
On HP 5400R zl2, you have to dedicate a port that will receive the copy of the traffic.
Also you have to transfer the file to a remote machine running Wireshark application to
be able to decode the captured packets.
From the Linux host, an “Hping2” SYN attack was launched against a server (Windows
laptop), which traversed the Cisco Catalyst 4500E switch.
Wireshark was enabled on the Catalyst 4500E and filters were set up to capture ten
seconds of traffic on port 2/11. The raw packets were captured and saved to local flash
memory. The same packets could also have been exported to an external PC for further
analysis. This process is shown below.
#sh monitor capture
Status information for Capture mycap1
Interface: GigabitEthernet2/11, Direction: in
Status: Active
Filter Details:
Capture all packets
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 10
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
26
DR150313E
4 June 2015
Packet Size to capture: 0 (no limit)
Packets per second: 0 (no limit)
Packet sampling rate: 0 (no sampling)
A condensed packet summary of the captured “ssh TCP SYN packets” and the “DNS queries”
is shown in the Wireshark CLI sample screenshot below, via the command:
#sh monitor capture file bootflash:mycap1.pcap
We then used the CLI command “show monitor capture file <filename>” with the
“detailed” option to decode and display all the fields of the packet on the console,
enabling detailed analysis on the switch itself. Selected information from the decoded
packets is shown here for simplification.
Frame 7: TCP / SSH (TCP port 22) packet
Frame 7: 64 bytes on wire (512 bits), 64 bytes captured (512 bits)
Arrival Time: Feb 27, 2015 11:03:07.194981000 UTC
Epoch Time: 1425034987.194981000 seconds
<snip>
[Protocols in frame: eth:ip:tcp]
Ethernet II, Src: 74:46:a0:cd:9e:35 (74:46:a0:cd:9e:35), Dst: f8:66:f2:b4:a2:bf (f8:66:f2:b4:a2:bf)
<snip>
Internet Protocol, Src: 31.1.1.1 (31.1.1.1), Dst: 32.1.1.1 (32.1.1.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
<snip>
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
27
DR150313E
4 June 2015
Header checksum: 0x1e40 [correct]
[Good: True]
[Bad: False]
Source: 31.1.1.1 (31.1.1.1)
Destination: 32.1.1.1 (32.1.1.1)
Transmission Control Protocol, Src Port: 3059 (3059), Dst Port: ssh (22), Seq: 0, Len: 0
Source port: 3059 (3059)
Destination port: ssh (22)
[Stream index: 6]
Sequence number: 0
(relative sequence number)
<snip>
.... ...0 = Fin: Not set
Checksum: 0x3a84 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Frame 8: UDP Port 53 = DNS packet
Frame 8: 84 bytes on wire (672 bits), 84 bytes captured (672 bits)
Arrival Time: Feb 27, 2015 11:03:07.212986000 UTC
Epoch Time: 1425034987.212986000 seconds
<snip>
[Protocols in frame: eth:ip:udp:dns]
Ethernet II, Src: 74:46:a0:cd:9e:35 (74:46:a0:cd:9e:35), Dst: f8:66:f2:b4:a2:bf (f8:66:f2:b4:a2:bf)
Destination: f8:66:f2:b4:a2:bf (f8:66:f2:b4:a2:bf)
Address: f8:66:f2:b4:a2:bf (f8:66:f2:b4:a2:bf)
<snip>
Internet Protocol, Src: 10.10.0.2 (10.10.0.2), Dst: 8.8.4.4 (8.8.4.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
<snip>
Header checksum: 0xc0c2 [correct]
[Good: True]
[Bad: False]
Source: 10.10.0.2 (10.10.0.2)
Destination: 8.8.4.4 (8.8.4.4)
User Datagram Protocol, Src Port: 56717 (56717), Dst Port: domain (53)
Source port: 56717 (56717)
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
28
DR150313E
4 June 2015
Destination port: domain (53)
Length: 46
Checksum: 0x92bf [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Domain Name System (query)
Transaction ID: 0x25d5
Flags: 0x0100 (Standard query)
<snip>
Type: A (Host address)
Class: IN (0x0001)
The network diagnostician can remotely troubleshoot and verify by examining the
packets’ payload that a SYN DoS attack is underway. The tech can ascertain the source
address, the target server, and the exact ports that the attack is targeting. Armed with
this information remediation actions can be launched.
The test was repeated with HP 5400R zl2, however a similar packet analysis on HP switch
required the desired packets to be sent to remote server running Wireshark application.
Here is a snapshot of the decoded packets from the Wireshark application running on a
remote server:
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
29
DR150313E
4 June 2015
10 - About Miercom
Miercom has published hundreds of network-product-comparison analyses – many
made public, appearing in leading trade periodicals and other publications, and many
confidential, for internal use only. Miercom’s reputation as the leading, independent
product test center is undisputed.
Private test services available from Miercom include competitive product analyses, as
well as individual product evaluations. Miercom test methodologies are generally
developed collaboratively with the client, and feature comprehensive certification and
test programs including: Certified Interoperable, Certified Reliable, Certified Secure and
Certified Green. Products may also be evaluated under the Performance Verified
program, the industry’s most thorough and trusted assessment for product usability and
performance.
11 - Use of This Report
Every effort was made to ensure the accuracy of the data in this report. However, errors
and/or oversights can nevertheless occur. The information documented in this report
may depend on various test tools, the accuracy of which is beyond our control.
Furthermore, the document may rely on certain representations by the vendors that
were reasonably verified by Miercom, but are beyond our control to verify with 100percent certainty.
This document is provided “as is” by Miercom, which gives no warranty, representation
or undertaking, whether express or implied, and accepts no legal responsibility, whether
direct or indirect, for the accuracy, completeness, usefulness or suitability of any
information contained herein. Miercom is not liable for damages arising out of or
related to the information contained in this report.
No part of any document may be reproduced, in whole or in part, without the specific
written permission of Miercom or Cisco Systems, Inc. All trademarks used in the
document are owned by their respective owners. You agree not to use any trademark in
or as the whole or part of your own trademarks in connection with any activities,
products or services which are not yours. You also agree not to use any trademarks in a
manner which may be confusing, misleading or deceptive or in a manner that
disparages Miercom or its information, projects or developments.
Cisco 4500E v HP 5400R zl2
Copyright © Miercom 2015
30
DR150313E
4 June 2015